№ 01Roles & Access
OpenFGA policy registry
Access is enforced by OpenFGA — Zanzibar-style fine-grained authorization.
Every API call resolves a check before any database access. Audit log captures every grant and revocation.
| Role | Scope | Permissions | People | |
|---|---|---|---|---|
| SuperAdmin | Global | all:* | 1 | Edit policy → |
| Admin / Ops | Tenant | enrollment:*verification:*moderation:*audit:read | 6 | Edit policy → |
| Legal | Tenant | contracts:*disputes:* | 2 | Edit policy → |
| Finance | Tenant | invoices:*payouts:*ledger:readtax:* | 2 | Edit policy → |
| Manager | Roster | talent:assigneddeals:*campaigns:* | 6 | Edit policy → |
| Agent | Roster | talent:assigneddeals:* | 8 | Edit policy → |
| Client User | Company | bookings:ownfinance:own | 423 | Edit policy → |
| Talent | Self | profile:selfbookings:ownearnings:own | 1,847 | Edit policy → |
| Customer | Public | browse:publicnewsletter:opt-in | 18,420 | Edit policy → |